Pages

Monday, January 14, 2013

Backtrack Forensics: magicrescue

magicrescue is another tool for file carving specific file types. It uses so called recipes, which contain the "magic byte", to determine the filetype. The utility uses external applications to extract the files found. As it looks on the byte stream of a block devices, it will work on deleted files, and can recover those as well.

Usage:

Location of the recipes: /usr/local/share/magicrescue/recipes/ We can see that there are quite a few.

I run the command above to extract jpeg files from my 1G thumb drive, which containd only 2 JPEG files, everything else was deleted. When I run it I realized that it extract JPEGs even from deleted PPTs that were on the drive before, which was really surprising. They were extracted by recipe "jpeg-jfif".